Versions Compared

Old Version 6

changes.mady.by.user Tony Johnson

Saved on

compared with

New Version Current

changes.mady.by.user Tony Johnson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

...

Secure Oracle

...

Paswords for GLAST

SCCS security team has mandated that Oracle passwords be changed every six months. Before now oracle passwords at the lab have never been changed, and as a result have been commonly "baked in" to hundreds of scripts and programs.

Goals

Our goals were threefold

  1. Remove passwords baked in to existing programs and store them somewhere where they can be maintained securely.
  2. Ensure that passwords can be changed in the future without disruption of the GLAST data processsing processing including long running servers.
  3. Avoid the necessity of sharing all the oracle passwords with all the developers in the group.

Techniques

After discussion with the SCCS database group we attempted to adopt two methodologies to address these goals:

  1. Use Oracle wallet to securely store passwords.
  2. Use Oracle roles so that developers can use their own personal accounts, and service accounts can be created specifically for use by servers and similar processes.

Status

We have succeeded in getting our tomcat and other servers to run using oracle wallet. (The tomcat servers are in production, the other servers are running in DEV and need CCB approval to move to prod). This indeed makes it possible to change the password in the database and (quickly) update the credentials stored in Oracle wallet. This took much more time than expected because of many quirks in oracle wallet, and because oracle wallet is not supported in the oracle "thin" JDBC driver we have been using up to now.

...

In conclusion we have spent a considerable amount of time on setting up oracle wallet and experimenting with roles etc. This effort will enable us to change oracle passwords in the future without downtime for our critical servers, but has resulted in a system which is currently considerable less secure than before. This has taken a considerable amount of manpower which should have been directed to more pressing needs.

In future we should ensure that the for similar security teammandates

  • The SLAC security teams gives Gives experiments sufficient lead time for such security related changes. This would typically be at least one year.
  • Discusses it detail with the experiment the need for such changes.
  • Ensure that an accurate assessment of manpower required implement changes is established at the outset, including manpower needed to research solutions before deciding on and implementing the chosen solution.
  • Where possible the manpower to implement such security changes should come at least in part from SCCS itself. The resulting solutions should be documented and made available to everyone in the lab.

Background details

Oracle wallet

Oracle wallet gives the appearance of having been written by a high-school student on their first programming assignment. In particular:

...